CN113259107B - Grid-based dual-mode encryption method - Google Patents

Abstract

The invention discloses a lattice-based dual-mode encryption method, which specifically comprises the following steps: firstly, generating a common reference string crs by using a Setup algorithm in a Messy mode or a Decryption mode; secondly, selecting parameters, Bob generates a public key pk by using a secret key generation algorithm₀And the private key sk_b(ii) a Alice encrypts the multi-bit plaintext message by using an encryption algorithm and generates a ciphertext; and finally, Bob decrypts the multi-bit plaintext message by using a decryption algorithm and recovers the plaintext message. The method of the invention solves the defect that the existing dual-mode encryption method on the lattice can only encrypt single-bit messages, provides a more efficient dual-mode encryption method, and can encrypt and transmit multi-bit messages on the basis of keeping the derived OT protocol capable of keeping UC security. The invention makes the dual-mode encryption method more efficient and can be used in a secure multi-party computing scenario.

Description

Grid-based dual-mode encryption method

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a dual-mode encryption method based on lattices.

Background

The public key cryptography can provide key technical theory support such as encryption, authentication, security protocol and the like for the fields of network and information security due to the powerful cryptographic service function. The breakthrough progress of quantum computing technology forms fatal threats to a large number decomposition type and discrete logarithm type public key cryptosystem, so that the 'post-quantum cryptosystem' attracts extensive attention and research in the industry, wherein the 'lattice public key cryptosystem' is represented by the most concerned class in the field by the unique comprehensive advantages (quantum attack resistance, reduction characteristic from the worst case to the average case, simple algorithm, low asymptotic complexity and rich cryptographic service functions).

As a basic two-party computing cryptographic primitive, an Oblivious Transfer (OT) is often applied to a basic operation module in a secure multiparty computing implementation protocol in a black box form. In addition, many cryptographic tasks can be reduced to utilizing the OT to implement their particular functional functions. OT is defined as the sender (marked S) and receiver (marked R) being each a pair of messages (μ;)₀,μ₁) And a message selection bit b e {0,1} as respective inputs, requiring that R can only receive a message mu selected by itself_bFor another message mu_1-bCannot be known; s then the message option b of R cannot be known. Many of the OT protocol schemes currently proposed are either only capableThe security of half-simulation (half-simulation) is obtained, and the half-simulation cannot be integrated into a multi-party computing scene for combined use with other protocols; or, the security of 'full-simulation' is obtained under 'stand-alone model', only the protocol is allowed to be continuously combined with other protocols for use, and the requirement that the cryptographic protocol needs to be asynchronously combined and executed in the modern computer network cannot be met. Therefore, it becomes an important index for designing OT protocol to obtain security under the "Universal Combination (UC)" model (fully-emulated security model that allows arbitrary combinations between protocols to be used).

In 2008, Peikert et al proposed a dual-mode encryption framework (dual-mode encryption framework) under the Common Reference String (CRS) model, and can derive the UC-safe OT protocol and instantiate it With the difficult problem of error Learning (LWE). However, the security of this lattice instantiation scheme in the Decryption mode is weakened, resulting in that the receiver of the OT protocol only obtains computational security (computational security), and CRS can only be used a limited number of times, greatly affecting the protocol performance. In 2020, Quach uses noise flooding (noise flooding) technique to upgrade the receiver security of the above lattice dual mode encryption scheme in Decryption mode to statistical security (statistical security). However, the cost of exploiting noise flooding is the use of a super polynomial modulus, resulting in an inability to construct an efficient emulator for malicious recipients in the UC security attestation of the OT protocol. To solve this problem, Quach utilizes an integer function that approximates an Approximate Smooth Projection Hash (ASPH) function on the middle lattice, making the simulator construction independent of modulus selection. However, the rounding function can only output a 1-bit hash value to conceal a plaintext message in a dual-mode encryption system, and can only achieve the goal by an OT protocol that independently repeats a single-bit message transmission multiple times, if the hidden multi-bit message transmission requirement is to be met. It can be seen that the goodness of the OT protocol design depends on the performance of the underlying encryption algorithm, and constructing an efficient lattice dual-mode encryption system will be an effective way to obtain the lattice UC secure OT protocol.

Disclosure of Invention

The invention aims to provide a dual-mode encryption method based on lattices, which can encrypt and transmit multi-bit plaintext messages on the basis of ensuring that the derived OT protocol has UC security.

The technical scheme adopted by the invention is that the lattice-based dual-mode encryption method is implemented according to the following steps:

step 1, generating a public reference string crs by using a Setup algorithm in a Messy mode or a Decryption mode;

step 2, selecting parameters, and Bob generates a public key pk by using a secret key generation algorithm₀And the private key sk_b；

Step 3, Alice encrypts the multi-bit plaintext message by using an encryption algorithm and generates a ciphertext;

and 4, Bob decrypts the multi-bit plaintext message by using a decryption algorithm and recovers the plaintext message.

The present invention is also characterized in that,

in the step 1, the method specifically comprises the following steps:

in Messy mode: given n as input, let Setup algorithm output crs in Messy mode; n is a security parameter, crs is a common reference string, crs is (A, v), and matrix

Subject each element thereof to

Is uniformly distributed, column vectors are selected

Subject each element thereof to

Wherein q is the modulus,

an m x n order integer matrix expressed modulo q,

an m-dimensional integer column vector representing modulo q;

in Decryption mode: let Setup algorithm output crs in Decryption mode, given n as input, where matrix is (a, v)

Subject each element thereof to

Uniform distribution of the components;

subject each element thereof to

The distribution of the components is uniform, and the components are uniformly distributed,

n-dimensional integer column vector representing modulo q, selecting vector

Subject each element thereof to

The error distribution above, v-A s + e.

In the step 2, the method specifically comprises the following steps:

step 2.1, Bob generates a public key pk using the common reference string crs and the option b ∈ {0,1} as inputs to the key generation algorithm₀And the private key sk_b(ii) a b is a channel decrypted by Bob, and when b is 0, a public key pk is generated₀And the private key sk₀Generating a public key pk when b is 1₀And the private key sk₁；

Step 2.2, from

Each point on the top selected column vector s, sThe amount is subject to uniform distribution from

Each component on the upper selection vector e, e is obeyed

Error distribution over (c), selecting vector f e [ -B [ -c)₂,B₂]Wherein [ -B [ - ]₂,B₂]Is an integer interval, such that f is [ -B [ - ]₂,B₂]Uniformly distributing the upper layer;

step 2.3, let public key pk₀As + e + f-b · v, private key sk_bS, pk is always satisfied for b e {0,1}_b＝As+e+f，pk₁-pk₀＝v。

In step 3, the method specifically comprises the following steps:

step 3.1, from the message space {0,1}^lSelecting a plaintext message mu ═ mu to be encrypted_R,μ_￡) Where l is the length of the message, mu is divided into two parts, where mu_RIs bit 1, mu_￡Is the remaining l-1 bits;

step 3.2, selecting a branch b ', and encrypting Alice on a b' channel, and respectively calculating a public key pk for b 'belonging to {0,1}, wherein b' belongs to the group of {0,1}_b'＝c:＝pk₀+ b'. v, where c is for pk_b'The symbol of (2).

When b' is 0, the public key pk_b'＝0＝pk₀+0·v＝pk₀For encrypting messages mu-mu on 0 channel₀(ii) a When b' is 1, the public key pk_b'＝1＝pk₀+1·v＝pk₀+ v for encrypting messages mu-mu on channel 1₁；

Step 3.3, calculate the transpose P of the n-dimensional column vector_i ^T＝r_i ^TA, selecting a column vector

r_iEach component of (a) is distributed from Gaussian

Medium uniform selection, obeying discrete Gaussian distribution on set Z

Where r is a Gaussian parameter, i ∈ [ n ]]I.e. r_iAre independently decimated n times, where r_i ^TIs r_iTranspose of (P)_i ^TIs P_iTransposing;

step 3.4, calculate the encryption μ_RThe latter 1 st bit cipher text

R is defined as a random rounding function satisfying the following form with the input being Z_qThe output is a 1-bit value, where q is the modulus, Z_qRing representing integer Z modulo q:

step 3.5, calculate the encryption mu_￡The remaining l-1 bit cipher text

First of all, calculate

Wherein r is_kFrom a plurality of independent r_iAny one of the vectors selected from the group consisting of,

is r of_kSetting a binary t-bit integer f ═ a_t-1…a₁a₀The value of the f residual bit is selected to be 0 or 1 except that the g +1 th bit is 0 and the g bit is 1, wherein

Setting generated key xi ═ (a)_t-1,…,a_g+2)^ΤComputing the encryption of f

Step 3.6, get plaintext message μ ═ μ_R，μ_￡) Is encrypted as

Step 3.7, set ciphertext to ct ═ ({ P)_i,β_i}_i≤n,{k,σ_k,β_￡})。

In step 4, the method specifically comprises the following steps:

step 4.1, recover μ of plaintext μ_RIn part

Due to the ciphertext of the 1 st bit

And because of R (P)_i ^TS) and R (R)_i ^TC) equal, and taking the bit value with larger number after decryption as the mu of the plaintext mu_RA moiety;

step 4.2, recover mu of plaintext mu_￡In part

Calculating a secret key

Xi is set as

P_kTo be from a plurality of P_iAny one n-dimensional column vector selected from the above can be used to obtain mu of plaintext mu_￡A moiety;

step 4.3, output plaintext message μ ═ μ_R,μ_￡)。

The invention has the advantages that aiming at the defect that only a single-bit message can be encrypted in the grid dual-mode encryption method, a more efficient dual-mode encryption method is provided by utilizing the principle of a key reconciliation mechanism, the multi-bit message can be encrypted and transmitted on the basis of ensuring that the derived OT protocol can keep the safety of UC, the performance of the dual-mode encryption system is comprehensively improved, and certain innovation can be achieved on the bottom layer theoretical technical level.

Drawings

FIG. 1 is a flow chart of a lattice-based dual-mode encryption method of the present invention.

Detailed Description

The invention is described in detail below with reference to the drawings and the detailed description.

A Sender and a Receiver in an OT scene firstly inquire a reliable third party to obtain crs, and the Receiver is embedded into a self selection b to generate a public key pk₀Sending to Sender, Sender receives public key and uses (pk) separately₀,pk₁) For two channel messages (mu)₀,μ₁) Encrypting to generate ciphertext (ct)₀,ct₁) Then sent to Receiver, which can only correctly decrypt ct_bRecovery of mu_b。

The invention relates to a dual-mode encryption method based on lattices, which is shown in figure 1 and is implemented according to the following steps:

step 1, generating a public reference string crs by using a Setup algorithm in a Messy mode or a Decryption mode;

in Messy mode: given n as input, let Setup algorithm output crs in Messy mode; n is a safety parameter, crs is a common reference string, crs is equal to (A, v), and matrix

Subject each element thereof to

Is uniformly distributed, column vectors are selected

Subject each element thereof to

On the surface of the steel sheet is uniformA distribution, wherein q is the modulus,

an m x n order integer matrix expressed modulo q,

an m-dimensional integer column vector representing modulo q;

in Decryption mode: let Setup algorithm output crs in Decryption mode given n as input, where n is the security parameter, crs is the common reference string, let crs ═ a, v, where the matrix

Subject each element thereof to

Are uniformly distributed.

Subject each element thereof to

Wherein q is the modulus,

an m x n order integer matrix expressed modulo q,

n-dimensional integer column vector representing modulo q, selecting vector

Subject each element thereof to

Error distribution of^mFor error distribution, v ═ As + e ═ is calculated.

Crs generated in the Messy mode and crs generated in the Decryption mode are computationally indistinguishable. The Messy mode and the Decrypt mode are parallel, and only one of the two modes needs to generate the common reference string crs.

Step 2, selecting parameters, and Bob generates a public key pk by using a secret key generation algorithm₀And the private key sk_bThe method specifically comprises the following steps:

step 2.1, Bob generates a public key pk using the common reference string crs and the option b ∈ {0,1} as inputs to the key generation algorithm₀And the private key sk_b(ii) a b is a channel decrypted by Bob, and when b is 0, a public key pk is generated₀And the private key sk₀Generating a public key pk when b is 1₀And the private key sk₁；

Step 2.2, from

Each component on the top-selected column vector s, s is subject to a uniform distribution, from

Obeying each component on the upper selection vector e, e

Error distribution over (c), selecting vector f e [ -B [ -c)₂,B₂]Wherein [ -B [ - ]₂,B₂]Is an integer interval, such that f is [ -B [ - ]₂,B₂]Uniformly distributing the upper layer;

step 2.3, let public key pk₀As + e + f-b · v, private key sk_bAlways, pk is satisfied for b e {0,1}_b＝As+e+f，pk₁-pk₀＝v。

And 3, utilizing an encryption algorithm by Alice to encrypt the multi-bit plaintext message and generate a ciphertext, specifically:

step 3.1, from message space {0,1}^lSelecting a plaintext message mu ═ mu to be encrypted_R,μ_￡) Where l is the length of the message, mu is divided into two parts, where mu_RIs bit 1, mu_￡Is the remaining l-1 bits;

step (ii) of3.2, selecting a branch b ', and encrypting Alice on a b' channel, and respectively calculating a public key pk for b 'belonging to {0,1}, wherein b' belongs to the public key pk_b'＝c:＝pk₀+ b'. v, where c is for pk_b'The symbol of (2).

When b' is 0, the public key pk_b'＝0＝pk₀+0·v＝pk₀For encrypting messages mu-mu on 0 channel₀(ii) a When b' is 1, the public key pk_b'＝1＝pk₀+1·v＝pk₀+ v for encrypting messages mu-mu on channel 1₁(ii) a For b ∈ {0,1, the public key pk is always satisfied_bAs + e + f corresponds to the message mu on the encrypted b channel_b. The clear text message for either the 0 or 1 lane is applicable, and is denoted herein as μ.

Step 3.3, calculate the transpose P of the n-dimensional column vector_i ^T＝r_i ^TA, selecting a column vector

r_iEach component of (a) is distributed from gaussians

Medium uniform selection, obeying discrete Gaussian distribution on set Z

Where r is a Gaussian parameter where i ∈ [ n ]]I.e. r_iAre independently decimated n times, where r_i ^TIs r_iTranspose of (P)_i ^TIs P_iTransposing;

step 3.4, calculate the encryption mu_RThe latter 1 st bit cipher text

Wherein c is calculated as (3b), R is defined as a random integer satisfying the following form, and the input is Z_qThe output is a 1-bit value, where q is a modulus, Z_qRing representing integer Z modulo q:

step 3.5, calculate the encryption mu_￡The remaining l-1 bit cipher text

First, calculate

Wherein r is_kFrom a plurality of independent r_iAny one of the vectors selected from the group consisting of,

is r_kSetting a binary t-bit integer f ═ a_t-1…a₁a₀The value of the f residual bit is selected to be 0 or 1 except that the g +1 th bit is 0 and the g bit is 1, wherein

Setting generated key xi ═ a_t-1,…,a_g+2)^ΤComputing the encryption of f

Step 3.6, get plaintext message μ ═ (μ)_R，μ_￡) Is encrypted as

Step 3.7, set ciphertext to ct ═ ({ P)_i,β_i}_i≤n,{k,σ_k,β_￡})。

And 4, Bob decrypts the multi-bit plaintext message by using a decryption algorithm and recovers the plaintext message, and Bob can correctly decrypt the ciphertext message on the selected branch b channel and recover the plaintext mu_bThe recovered plaintext message mu cannot be correctly decrypted on the 1-b channel_1-b(ii) a The method specifically comprises the following steps:

step 4.1, recover μ of plaintext μ_RIn part

Due to the ciphertext of the 1 st bit

And because of R (P)_i ^TS) and R (R)_i ^TC) equal, and taking the bit value with larger number after decryption as the mu of the plaintext mu_RA moiety;

step 4.2, recover mu of plaintext mu_￡In part

Calculating a secret key

Xi is set as

P_kTo be from a plurality of P_iAny one of the selected n-dimensional column vectors,

is P_kQ is modulus, where the probability of ξ being equal to ξ in step 3 is 1, μ in the clear text μ can be obtained_￡A moiety;

step 4.3, output plaintext message μ ═ μ_R,μ_￡)。

The method of the invention provides a more efficient dual-mode encryption method by utilizing the principle of a key reconciliation mechanism aiming at the defect that only a single-bit message can be encrypted in the dual-mode encryption method on the lattice, and can encrypt and transmit a multi-bit message on the basis of ensuring that the derived OT protocol can keep the safety of UC.

Claims (1)

1. A dual-mode lattice-based encryption method is characterized by being implemented according to the following steps:

step 1, generating a public reference string crs by using a Setup algorithm in a Messy mode or a Decryption mode; the method comprises the following specific steps:

in Messy mode: given n as input, let Setup algorithm output crs in Messy mode; n is a security parameter, crs is a common reference string, crs is (A, v), and matrix

Subject each element thereof to

Is uniformly distributed, column vectors are selected

Subject each element thereof to

Wherein q is the modulus,

an m x n order integer matrix expressed modulo q,

an m-dimensional integer column vector representing modulo q;

in Decryption mode: let Setup algorithm output crs in Decryption mode, given n as input, where matrix is (a, v)

Subject each element thereof to

Uniform distribution of the components;

subject each element thereof to

The distribution of the components is uniform, and the components are uniformly distributed,

n-dimensional integer column vector representing modulo q, selecting vector

Subject each element thereof to

The error distribution of (a), v ═ As + e;

step 2, selecting parameters, and Bob generates a public key pk by using a secret key generation algorithm₀And the private key sk_b(ii) a The method specifically comprises the following steps:

step 2.1, Bob generates a public key pk using the common reference string crs and the option b ∈ {0,1} as inputs to the key generation algorithm₀And the private key sk_b(ii) a b is a channel decrypted by Bob, and when b is 0, a public key pk is generated₀And the private key sk₀Generating a public key pk when b is 1₀And the private key sk₁；

Step 2.2 from

Each component on the top-selected column vector s, s is subject to a uniform distribution, from

Obeying each component on the upper selection vector e, e

Error distribution over (c), selecting vector f e [ -B [ -c)₂,B₂]Wherein [ -B [ - ]₂,B₂]Is an integer interval, such that f is [ -B [ - ]₂,B₂]Uniformly distributing the upper layer;

step 2.3, let public key pk₀As + e + f-b · v, private key sk_bAlways, pk is satisfied for b e {0,1}_b＝As+e+f，pk₁-pk₀＝v；

Step 3, Alice encrypts the multi-bit plaintext message by using an encryption algorithm and generates a ciphertext; the method comprises the following specific steps:

step 3.1, from the message space {0,1}^lSelecting a plaintext message mu ═ mu to be encrypted_R,μ_￡) Where l is the length of the message, mu is divided into two parts, where mu_RIs bit 1, mu_￡Is the remaining l-1 bits;

step 3.2, selecting a branch b ', and encrypting Alice on a b' channel, and respectively calculating a public key pk for b 'belonging to {0,1}, wherein b' belongs to the group of {0,1}_b'＝c:＝pk₀+ b'. v, where c is for pk_bThe symbol of';

when b' is 0, the public key pk_b'＝0＝pk₀+0·v＝pk₀For encrypting messages mu-mu on 0 channel₀(ii) a When b' is 1, the public key pk_b'＝1＝pk₀+1·v＝pk₀+ v for encrypting messages mu-mu on channel 1₁；

Step 3.3, calculate the transpose of the n-dimensional column vector

Selecting a column vector

r_iEach component of (a) is distributed from Gaussian

Medium uniform selection, obeying discrete Gaussian distribution on set Z

Where r is a Gaussian parameter, i ∈ [ n ]]I.e. r_iAre independently extracted n times, wherein

Is r of_iThe transpose of (a) is performed,

is P_iTransposing;

step 3.4, calculate the encryption μ_RThe latter 1 st bit cipher text

R is defined as a random rounding function satisfying the following form with the input being Z_qThe output is a 1-bit value, where q is the modulus, Z_qRing representing integer Z modulo q:

step 3.5, calculate the encryption mu_￡The remaining l-1 bit cipher text

First of all, calculate

Wherein r is_kFrom a plurality of independent r_iAny one of the vectors selected from the above-mentioned vectors,

is r of_kSetting a t-bit integer f ═ a in binary form_t-1…a₁a₀The value of the f residual bit is selected to be 0 or 1 except that the g +1 th bit is 0 and the g bit is 1, wherein

Setting generated key xi ═ (a)_t-1,…,a_g+2)^ΤComputing the encryption of f

Step 3.6, plaintext message

Is encrypted as

Step 3.7, set the ciphertext to

Step 4, Bob decrypts the multi-bit plaintext message by using a decryption algorithm and recovers the plaintext message; the method specifically comprises the following steps:

step 4.1, recover μ of plaintext μ_RIn part

Due to the ciphertext of the 1 st bit

And because of R (P)_i ^TS) and

and taking the bit value with the maximum number after decryption as the mu of the plaintext mu_RA moiety;

step 4.2, recovery of the plaintext mu

In part

Calculating a secret key

Xi is set as

P_kTo be from a plurality of P_iAny one n-dimensional column vector selected from the above can be used to obtain the plaintext mu

A moiety;

step 4.3, outputting the plaintext message

Images